locked
SSO for O365 works for IE 11, but not Chrome version 63 RRS feed

  • Question

  • Hi,

     We have ADFS 2012 R2 in place. If I clear down cookies and make sure I'm logged out of O365, reboot and then login to "portal.office.com" and "contoso.sharepoint.com", IE automatically logs me in, but Chrome prompts for a username to be picked. Once I pick the username or enter "mark@contoso.com" I'm automatically directed to ADFS and login straight away (Chrome doesn't need a password, it grabs it from Windows).

    How can we get Chrome to work with SSO?

    IE settings:
    local intranet zone has "https://portal.office.com" and "https://contoso.sharepoint.com"
    User authentication\Logon set to "Automatic logon only in the intranet zone"

    ADFS settings:

    PS C:\> Get-AdfsGlobalAuthenticationPolicy
    AdditionalAuthenticationProvider      : {}
    DeviceAuthenticationEnabled           : False
    PrimaryIntranetAuthenticationProvider : {FormsAuthentication, WindowsAuthentication}
    PrimaryExtranetAuthenticationProvider : {FormsAuthentication}
    WindowsIntegratedFallbackEnabled      : True

    PS C:\> Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents
    MSAuthHost/1.0/In-Domain
    MSIE 6.0
    MSIE 7.0
    MSIE 8.0
    MSIE 9.0
    MSIE 10.0
    Trident/7.0
    MSIPC
    Windows Rights Management Client
    Mozilla/5.0
    Edge/12
    PS C:\>


    IT Support/Everything

    Wednesday, September 19, 2018 2:21 PM

All replies

  • What version of Chrome are you using?
    Have you verified which User Agent that version of Chrome uses?

    Friday, September 21, 2018 8:47 AM
  •  Chrome version 63.0.3239.108 

    I think I need to add Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”) as mentioned below

    Presumably I can remove the string by using - "Chrome)

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia

    Will test when I get some time.


    IT Support/Everything

    Friday, September 21, 2018 11:34 AM
  • Run the command Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome" + "Mozilla/5.0"

    The only caution I would add that if you do not use the "expand" and use just Set-AdfsProperties -WIASupportedUserAgents with just "Chrome" then you will only have that browser enabled and lose all the others.  It is an accretive command!

    Friday, September 21, 2018 8:42 PM
  • Thanks, I'll be sure to use the expand. We've got our ADFS servers WID load balanced, so I'll power off and snapshot the primary beforehand just in case I need another roll back...

    Is "+ "Mozilla/5.0"" needed? It's already listed,


    IT Support/Everything


    • Edited by Aetius2012 Monday, September 24, 2018 10:27 AM .
    Monday, September 24, 2018 10:25 AM
  • Sorry - I missed that is was there already.  Not needed!
    Wednesday, September 26, 2018 3:19 PM
  • I managed to test this yesterday, unfortunately, adding Chrome didn't work as mentioned

     https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia

    I used their recommended string, as well as trying the code below.

    #Use an array list, as it's dynamic, arrays are fixed size
    [System.Collections.ArrayList]$UserAgents = Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents
    $UserAgents.add("chrome")
    # Use line below to roll back
    # $UserAgents.Remove("chrome")
    Set-ADFSProperties -WIASupportedUserAgents $UserAgents

    Restarted ADFS services, but Chrome still wouldn't perform SSO (WindowsIntegratedFallbackEnabled is true)

    Looking at the browser string from whoishostingthis my browser is reported as below. Do I need to add the entire string in and what happens if the next version of Chrome comes out?

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36

    Thanks


    IT Support/Everything

    Friday, September 28, 2018 9:43 AM